Cyber Security: Are we learning ANY lessons?

By Stephen Hancock, PA and 7Safe QSA and Cyber Expert |
29 June 2018

When the surveys of cyber breaches appear each year, the same issues seem to crop up with wearying regularity. Yes, from time to time a ‘zero-day’ exploit hits the news but mostly it’s the usual suspects: default passwords, lack of patching, etc. The fact is companies fall victim to breaches because they fail to take the basic steps of cyber security. Or, at least, they fail to keep taking those steps.

A recent experience with one of our (nameless) clients illustrates the problem. The client provides telecoms services to a wide range of customers. Some of these use the services to transmit credit card data so they require our client to be PCI DSS compliant. In other words, being PCI DSS certified is critical to that part of the business.

Accordingly, they set up a compliance project and we worked with them to help them identify and rectify compliance gaps. Eventually, we were able to sign them off as compliant last year. However, although PCI assessment is an annual event, the standard recognises that security should be business as usual; in fact, there are thirty-eight requirements that explicitly require some sort of regular activity.

Compliance doesn’t always translate to Security – it needs to be continually tested and improved!

Despite this, on returning for a pre-assessment check we found that several critical periodic activities had not been done. Evidently once compliance had been achieved, the project manager was reassigned, the technical engineers went back to the day job of customer support and it was nobody’s job to ensure that the regular control checks happened. To help our client manage this we had provided them with a timetable of regular activities but these had never become part of business as usual (BAU).

If this can happen at an organisation that knows that undertaking specific regular control activities is essential to their continued compliance, what is the likelihood of other organisations keeping up to date with these essential controls? It is often the failure to maintain controls that leads to many vulnerabilities exploited by attackers.

Failure of controls is a common cause of data breaches. The solution: regular auditing processes.

The PCI Security Standards Council recognises this as a common situation and in an attempt to address this has introduced two new requirements for service providers:

A charter setting out overall accountability for maintaining PCI DSS compliance; and

Quarterly reviews to confirm personnel are following security policies and operational procedures, covering at least

• Daily log reviews

• Firewall rule-set reviews

• Applying configuration standards to new systems

• Responding to security alerts

• Change management processes

The new requirements are well-intentioned but they may just become another regular activity that gets overlooked. We can help our clients by first by making it part of our mindset. Whenever we help clients to implement controls we can ask ‘How confident am I that this control will still be functioning tomorrow?’ ‘How good is the governance?’ ‘How strong is the culture?’ And if the answer is ‘not very’ then there is an opportunity to start a conversation about what more we can do to support them.